Two Step Authentication: How Will This Affect My Business?
Last November, the EU lawmakers formally adopted the new Payment Services Directive, (PSD 2), into law, and the current 28 member states will be required to introduce national legislation to implement these new rules by 13th January 2018.
Payment Service Providers, (PSP) which are currently authorised under PSD 1, will have until 13th July 2018 to fall into line with the new directive.
In light of Brexit, the UK’s position on this is uncertain, there is little doubt that PSD 2 will also be implemented in the UK by the Financial Conduct Authority, (FCA).
This is because firstly, the directive will come into force during the 2-year negotiation period for the UK’s exit, but also, crucially, because payment service providers that wish to operate within the EU will be required to adopt PSD 2 regulations, whether or not their host country is a member of the EU.
Indeed the FCA has already stated on its website that they are “…fully supportive of the objectives behind the guidelines…”
The PSD 2 directive contains a number of regulations that will strengthen the security for online retailers and their customers, including such matters as end-to-end encryption, limiting login attempts and strengthening servers with secure configurations, as well as making some important changes in how they charge their fees.
Combatting Card Not Present Fraud
But the most significant change will be the compulsory introduction of a two-step authentication process – also known as “two-factor authentication” (2FA) – for customers when registering cards, and making credit transfers or card payments.
This is in response to the unacceptable volume of hacking and data breaches, which are rarely out of the news, and which caused European card fraud losses in 2013 amounting to €1.55 billion. Most of this fraud involved “card not present” (CNP) fraud, and a single major PSP has reported 133,000 fraudulent conversions in March 2015 alone in the UK – equating to a card’s details being stolen every 20 seconds.
All too often we hear about stolen password databases, phishing attacks, malware that reads our keystrokes and even credit card skimmers.
Clearly something must be done.
So what is two-step authentication?
This is a combination of something the user knows, (e.g. a pin or password) with something the user has, (e.g. a token or mobile/smart phone) or something the user is, (e.g. a fingerprint or retina recognition).
The days are gone when we can ensure transaction security with the use of just a single password or pin number for all manner of reasons; not least of which is the failure by so many users to memorise strong passwords and the potential for password theft and hacking.
We are now well into the world of two-step authentication and it was only a matter of time before the regulatory authorities turned their attention to introducing additional security measures for PSPs.
Most, if not all banks, have already introduced two-step authentication – typically by use of a token, a card sentry machine or a “one-time password”, (OTP) via mobile phones in addition to the traditional password. Even social media organisations and other Internet institutions such as Google, major email providers, Facebook, Twitter and LinkedIn now offer users the option of two step-authorisation.
On-line retailers cannot turn back the clock – nor would the sensible ones want to. It is the age of the “Pareto principle” where it is calculated that by using two step authentications, we can safeguard approximately 80% of all transactions, at relatively little cost.
That’s all very well, but what about the potential increase in Cart Abandonment?
There is no point in pretending that this may not be an issue for retailers. Many will already be aware of the recent research that has concluded that over 67% of online sales are lost due to cart abandonment. But you should also be aware that there are a host of reasons why customers abandon their carts, and in any event, many customers return later. Top of the list of the 14 main reasons for cart abandonment are:
- Unexpected costs.
- Just browsing.
- Better price elsewhere.
- Decided against buying.
All of these issues need to be addressed, but they have little to do with any changes in the payment authentication process.
Then we come to the area that concerns us as far as the payment process is concerned. Amongst the 14 main reasons for abandonment – more than halfway down the list in order importance – we find reasons such as:
- Website navigation too complicated.
- Process was taking too long.
- Concerns about payment security.
- Payment declined.
- and the key one: Excessive payment security checks.
Many of the reasons for cart abandonment can be addressed by retailers by improving their websites and the way they do business. Here is a list of key ‘improvement points’ you should seriously consider.
- Upgrade your software to simplify the checkout process by reducing the number of fields/steps in the checkout process.
- Allow the use of ‘back buttons’ so that customers do not have to start all over again.
- Arrange fields in a user-friendly order, and include a progress bar.
- Collect email addresses early on in the process – allowing you to follow up in the event of cart abandonment. Have a good, efficient automated system of email follow up.
- Upgrade your website servers to ensure there are no website crashes or ‘hangings’.
- Offer price guarantees and refunds if a customer is not satisfied.
- Add explanation/ clarification labels
- Have a “guest” checkout – never insist on customers registering and logging in.
- Show all your costs upfront, including VAT, delivery charges etc. – not at the final check-out stage.
- Consider free shipping.
- Show thumbnails and enlarged images.
- Prominently display security logos.
- Offer a chat box/ telephone support
If you implement some or all of the above, you will reduce your cart abandonment rates and mitigate the effects of having to introduce a two-step payment authentication process.
Customers will be drawn to your website rather than your competitors, because of your fast, efficient and safe checkout process.
But the most important way you can convince your customers to accept the two step authentication process is by pointing out:
- It is in the customer’s best interests – as it will substantially improve the security of their online transactions and help to put the fraudsters out of business.
- By law, the two step authentication process will soon become mandatory for all payment service providers, which means that in future, for all customers, it will be part and parcel of shopping online.
Remember, in this digital age nothing stays the same for long. Be one of the first to embrace this new aspect of online shopping and get one-step ahead of your competitors. If you want to discuss this further, please feel free to contact us any time.